• If possible, don’t bring the laptop.
• If they must bring it, put it in the trunk before leaving work not after arrival at the store.
• Putting the laptop in the trunk at the store is like raising a red “Here is stuff worth stealing” flag to any watching thief.
• If you bring it home, don’t leave it in your vehicle overnight—bring it in the house.

Thieves see an easily fenced (or gifted) electronic item. Their goal is probably not the data on the hard drive, but the company may find itself having to report a data breach. Ideally, the contents of the laptop will be encrypted and the laptop backed up on a regular basis to minimize the damage the loss of the equipment causes.

Russian or Armenian Mob Used “Model Employee” Con at PCH Arco

The question remains: what about those people who already provided the data–does the City retain this data and continue to use it? How do they have it secured? The questions I raised in my previous posting are still valid that apply to the information security controls on the data they’ve collected.

Here is a link to the article:

http://www.networkworld.com/community/node/42892

Here is an excerpt from their application:  “Please list any and all, current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc.”  Also included in the application is a waiver of the applicant’s constitutional right to inspect the information: “In accordance with Montana Constitution, Article II, Section 9, I understand I have the right to review information obtained through the reference check process; however, by signing below, I realize the City of Bozeman will NOT release the information provided to them to any person, including myself.”  The application also indicates that the credentials may be used not only as an initial employment screening mechanism, but also periodically during the tenure of the employment. 

There are a number of obvious privacy issues with the extent of disclosure required to apply for a job with the City of Bozeman.  However, there are also a number of security issues that go beyond the invasion of privacy of the applicants.  One of them is the problem of the Terms of Service of the websites that a user frequents.  For instance, the Facebook Terms of Service Agreement specifically says:  “You will not share your password, let anyone else access your account, or do anything else that might jeopardize the security of your account.”  Myspacehas similar language on their site.  In requiring prospective and current employees to disclose this information, they are also requiring these people to violate these contracts.  In effect, they are sending a message that their need to inspect the activities of people applying for jobs with the city is more important than either the contracts these people have entered into, or in fact, the security of the sites where they have relationships.  It also sets precedence that disclosing login credentials as an acceptable behavior when prompted to do so by someone who has something the respondent desires—in this case a job.  Is this behavior they would encourage in their own employees? 

Another issue is the potential for the mishandling of the data being collected.  While the application assures people that this will only be used to determine the suitability of applicants for a specific job, these are the credentials for sites that the person had some expectation of privacy in using prior to filling out this form.  They have treated it as a private account and there may be sensitive details of their lives in them.  How are these forms stored?  Are they destroyed if the decision is made not to hire the applicant?  How long are they retained and what controls are put in place to keep the credentials from being used inappropriately?  Are there audit trails in place to show who has accessed the form data?

Finally, from the perspective of someone who does workplace investigations, the fact that the company now holds the account credentials makes it more challenging to attribute activities taken under that account to the owning individual.  It introduces deniability, particularly as the number of people with access to the credential data increases.  In gaining access in this manner, the City of Bozeman has made the job of investigating/prosecuting subsequent actions of affected employees more difficult.

Lazar, B. (2008). Massachusetts Data Privacy and Security Laws Impact Companies Across U.S. Retrieved January 14, 2009, from http://www.cio.com/article/460516/Massachusetts_Data_Privacy_and_Security_Laws_Impact_Companies_Across_U.S.?source=home_ts

Summary

Massachusetts enacted a new data privacy law that initially took effect January 1, 2009, but was postponed until May 1, 2009 to allow businesses more time for compliance, spells out significant requirements for a security program for businesses doing business with residents.  The regulation, titled “201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth” is published here: 

http://www.mass.gov/?pageID=ocaterminal&L=3&L0=Home&L1=Business&L2=Identity+Theft&sid=Eoca&b=terminalcontent&f=idtheft_201cmr17&csid=Eoca

It applies to both paper and electronic data, and affects companies who “own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts”

Perspective

This law is more comprehensive than many of the data privacy laws on the books today, and approaches the Payment Card Industry guidelines as far as spelling out requirements for data protection.  It specifically calls out a requirement for:

• a company employee to be responsible for the written security program, and outlines the contents of that program
• companies to perform risk assessments on their information assets, whether paper or electronic
• the development of security policies and employee training on them, plus annual reviews of the program
• protecting information assets from terminated employees
• protection information assets from abuse by third party partners
• developing an information identification and classification program
• detailed computer security requirements including access control/authentication, encryption of data in transit across public networks or transmitted wirelessly, encryption of data stored on portable devices, including laptops, security patching and firewalling of internet connected systems, and the use of virus software.

Many of these have been specified for companies doing business with the Payment Card Industry, but for those small companies that have been exempt from other regulation, these requirements may be daunting.  Particularly in the case of small companies, where IT staff may not be employed, adherence to these requirements will be costly. 

The bigger issue to watch will be the way other states react to this new regulation.  It may herald a new wave of stricter controls passed in the other states. 

The link to the survey is:

Click Here to take survey

The link to view the results is:

http://www.surveymonkey.com/sr.aspx?sm=jhfIit6908jUaABovOc_2bJY6mT1lKEQmiq8yUSr7RqSg_3d

Thank you for your feedback.

Schwerha IV, J. (2008). Why computer forensic professionals shouldn’t be required to have private investigator licenses. Digital Investigations. 5(1-2), Retrieved
December 15, 2008 from http://www.elsevierscitech.com/pdfs/Legal_Commentary.pdf

Summary

Over the past year, there has been a significant push to pass laws requiring computer forensic professionals to obtain a Private Investigator’s (P.I.) license to practice in certain circumstances. Primarily, these include private consultants who are not working for a law enforcement agency or performing corporate investigations for their employer. The article above makes the case that this requirement is not necessary, and in fact does not contribute towards ensuring that those performing these activities with a P.I. license are more skilled or better trained than those who are not licensed.

Analysis

The author raises several critical points in this article. First, he outlines the problem of licensing across multiple jurisdictions as a barrier to entry. In his example, lawyers are required to have met specific educational goals, such as obtaining a law degree and passing the bar exam in the states where they plan to practice. He raises the issue that to be licensed as a P.I. the practitioner would have to know in advance which states might be involved in each case and obtain a license ahead of time. In incident response (where computer forensics professionals are frequently brought into a case), the company that hires a consultant may reside in one state, their servers in another state (or country), and the perpetrator of the crime in yet another location. It is not practical to anticipate where the next case may require licensing.

The second major point the author raises is the requirements for licensing. They vary from state to state, and are frequently unrelated to the skills and education required to perform computer forensics competently.

“For instance, in Vermont requires that an applicant work under a licensed private investigator for 2000 hours; but, does not require any knowledge or experience in the area of computer forensics (Kessler, 2008).” (Schwerha, p. 71)

In some cases, the requirement represents a barrier to entry to anyone who is not already licensed. The requirements for licensing that include working under an already licensed P.I. are an example of this—despite already being highly skilled as a computer forensic professional, practitioners may hesitate to do consulting (or even volunteer work) because they cannot afford to take the time to complete the licensing requirement.

Adding to the complexity of the problem is the fact that no uniform definition of computer forensics is available from the profession.

“There is no consistent, workable definition of a computer forensic professional upon which the States may depend to adequately regulate the field.” (Schwerha, p. 71)

Some states have worded their laws so poorly that computer repair technicians may fall under their jurisdiction. The author recommends handling the problem of whether a computer forensics practitioner is competent by requiring a certifying body tackle the problem, rather than trying to force the P.I. licensing issue.

A systematic approach to this problem would yield some relevant data. A common set of skills that are required to perform digital forensics should be developed, and standard certifications developed to ensure that those who are practicing meet the minimum requirements for the profession.